diff --git a/0070.patch b/0070.patch new file mode 100644 index 0000000..edfdd77 --- /dev/null +++ b/0070.patch @@ -0,0 +1,250 @@ +From 29616c6a89437e138bb5abc55b42325d0d2b1394 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Tue, 22 Oct 2024 17:30:32 +0200 +Subject: [PATCH] ci: fix CentOS-9-Stream container and ci config + + - correct URL for dash + - add missing dependencies + - use centos9 instead of fedora + +rhel-only + +Resolves: RHEL-65249 +--- + .github/workflows/integration.yml | 4 +- + test/container/Dockerfile-Arch | 25 ------------- + test/container/Dockerfile-CentOS-9-Stream | 5 ++- + test/container/Dockerfile-Debian | 61 ------------------------------- + test/container/Dockerfile-Fedora-latest | 56 ---------------------------- + test/container/Dockerfile-OpenSuse-latest | 23 ------------ + 6 files changed, 5 insertions(+), 169 deletions(-) + +diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml +index c22bf916..c023ab16 100644 +--- a/.github/workflows/integration.yml ++++ b/.github/workflows/integration.yml +@@ -14,7 +14,7 @@ jobs: + strategy: + matrix: + container: [ +- "fedora:latest", ++ "centos:stream9", + ] + test: [ + "04", +@@ -40,7 +40,7 @@ jobs: + strategy: + matrix: + container: [ +- "fedora:latest", ++ "centos:stream9", + ] + test: [ + "01", +diff --git a/test/container/Dockerfile-Arch b/test/container/Dockerfile-Arch +deleted file mode 100644 +index 4112cc5b..00000000 +--- a/test/container/Dockerfile-Arch ++++ /dev/null +@@ -1,25 +0,0 @@ +-FROM docker.io/archlinux +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN pacman --noconfirm -Sy \ +- linux dash strace dhclient asciidoc cpio pigz squashfs-tools \ +- qemu btrfs-progs mdadm dmraid nfs-utils nfsidmap lvm2 nbd \ +- dhcp networkmanager multipath-tools vi tcpdump open-iscsi \ +- git shfmt shellcheck astyle which base-devel glibc parted && yes | pacman -Scc +- +-RUN useradd -m build +-RUN su build -c 'cd && git clone https://aur.archlinux.org/perl-config-general.git && cd perl-config-general && makepkg -s --noconfirm' +-RUN pacman -U --noconfirm ~build/perl-config-general/*.pkg.tar.* +-RUN su build -c 'cd && git clone https://aur.archlinux.org/tgt.git && cd tgt && echo "CFLAGS=-Wno-error=stringop-truncation" >> PKGBUILD && makepkg -s --noconfirm' +-RUN pacman -U --noconfirm ~build/tgt/*.pkg.tar.* +-RUN rm -fr ~build +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream +index abcc067e..26d308d2 100644 +--- a/test/container/Dockerfile-CentOS-9-Stream ++++ b/test/container/Dockerfile-CentOS-9-Stream +@@ -8,9 +8,10 @@ LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=h + RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh + + # Install needed packages for the dracut CI container +-# FIXME: properly re-add dash once C9S EPEL is available ++# FIXME: add dmraid, scsi-target-utils (e.g. from COPR) + RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \ +- http://mirrors.kernel.org/fedora/releases/34/Everything/x86_64/os/Packages/d/dash-0.5.10.2-8.fc34.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/d/dash-0.5.11.5-4.el9.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.10-1.el9.x86_64.rpm \ + qemu-kvm \ + NetworkManager \ + asciidoc \ +diff --git a/test/container/Dockerfile-Debian b/test/container/Dockerfile-Debian +deleted file mode 100644 +index 15eb9958..00000000 +--- a/test/container/Dockerfile-Debian ++++ /dev/null +@@ -1,61 +0,0 @@ +-FROM docker.io/debian:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN apt-get update -y -qq && apt-get upgrade -y -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends -o Dpkg::Use-Pty=0 \ +- asciidoc \ +- astyle \ +- btrfs-progs \ +- busybox-static \ +- bzip2 \ +- ca-certificates \ +- console-setup \ +- cpio \ +- cryptsetup \ +- curl \ +- dash \ +- debhelper \ +- debhelper-compat \ +- docbook \ +- docbook-xml \ +- docbook-xsl \ +- fdisk \ +- g++ \ +- git \ +- iputils-ping \ +- isc-dhcp-client \ +- kmod \ +- less \ +- libkmod-dev \ +- linux-image-generic \ +- lvm2 \ +- make \ +- mdadm \ +- multipath-tools \ +- nbd-client \ +- network-manager \ +- nfs-common \ +- open-iscsi \ +- parted \ +- pigz \ +- pkg-config \ +- procps \ +- qemu-system-x86 \ +- quilt \ +- shellcheck \ +- squashfs-tools \ +- strace \ +- sudo \ +- tcpdump \ +- vim \ +- wget \ +- && apt-get clean +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-Fedora-latest b/test/container/Dockerfile-Fedora-latest +deleted file mode 100644 +index a38a72ef..00000000 +--- a/test/container/Dockerfile-Fedora-latest ++++ /dev/null +@@ -1,56 +0,0 @@ +-FROM registry.fedoraproject.org/fedora:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN dnf -y install --setopt=install_weak_deps=False \ +- dash \ +- pigz \ +- asciidoc \ +- mdadm \ +- lvm2 \ +- dmraid \ +- cryptsetup \ +- nfs-utils \ +- nbd \ +- dhcp-server \ +- scsi-target-utils \ +- iscsi-initiator-utils \ +- strace \ +- btrfs-progs \ +- kmod-devel \ +- gcc \ +- bzip2 \ +- xz \ +- tar \ +- wget \ +- rpm-build \ +- make \ +- git \ +- bash-completion \ +- sudo \ +- kernel \ +- dhcp-client \ +- /usr/bin/qemu-kvm \ +- /usr/bin/qemu-system-$(uname -i) \ +- e2fsprogs \ +- tcpdump \ +- iproute \ +- iputils \ +- dbus-daemon \ +- kbd \ +- NetworkManager \ +- squashfs-tools \ +- which \ +- ShellCheck \ +- shfmt \ +- parted \ +- && dnf -y update && dnf clean all +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-OpenSuse-latest b/test/container/Dockerfile-OpenSuse-latest +deleted file mode 100644 +index 9aaf07b1..00000000 +--- a/test/container/Dockerfile-OpenSuse-latest ++++ /dev/null +@@ -1,23 +0,0 @@ +-FROM registry.opensuse.org/opensuse/tumbleweed-dnf:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN dnf -y install --setopt=install_weak_deps=False \ +- dash asciidoc mdadm lvm2 dmraid cryptsetup nfs-utils nbd dhcp-server \ +- strace libkmod-devel gcc bzip2 xz tar wget rpm-build make git bash-completion \ +- sudo kernel dhcp-client qemu-kvm /usr/bin/qemu-system-$(uname -m) e2fsprogs \ +- tcpdump iproute iputils kbd NetworkManager btrfsprogs tgt dbus-broker \ +- iscsiuio open-iscsi which ShellCheck procps pigz parted squashfs \ +- && dnf -y update && dnf clean all +- +-RUN shfmt_version=3.2.4; wget "https://github.com/mvdan/sh/releases/download/v${shfmt_version}/shfmt_v${shfmt_version}_linux_amd64" -O /usr/local/bin/shfmt \ +- && chmod +x /usr/local/bin/shfmt +- +-# Set default command +-CMD ["/usr/bin/bash"] + diff --git a/0071.patch b/0071.patch new file mode 100644 index 0000000..4e9daec --- /dev/null +++ b/0071.patch @@ -0,0 +1,35 @@ +From 0a264651d148b543c0c5d6b0a07909cdcb1abfba Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Tue, 26 Nov 2024 11:27:54 +0100 +Subject: [PATCH] fix(35network-manager): install nftables kernel modules + needed + +NetworkManager requires nf_tables, nfnetlink and nft_fwd_netdev kernel +modules to operate balance-slb bonding mode. + +Fixes a6264d1726d9 ("fix(35network-manager): install nft binary during module installation") + +(cherry picked from commit 037da383dd8d9d9d699f1430d6afc790b28b18f8) + +Resolves: RHEL-64754 +--- + modules.d/35network-manager/module-setup.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index c93c6a3c..6ed8c04e 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -19,6 +19,11 @@ installkernel() { + return 0 + } + ++# called by dracut ++installkernel() { ++ instmods nf_tables nfnetlink nft_fwd_netdev ++} ++ + # called by dracut + install() { + local _nm_version + diff --git a/0072.patch b/0072.patch new file mode 100644 index 0000000..95a48cc --- /dev/null +++ b/0072.patch @@ -0,0 +1,35 @@ +From 3db62d5a16557941ef95ab0aa838f1012c20af9e Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Thu, 21 Nov 2024 00:40:27 +0100 +Subject: [PATCH] fix(35network-manager): install nft binary during module + installation + +NetworkManager has a new bonding mode called balance-slb. This mode is +used in environments where NICs are connected to switches without LACP. +In order to work, NetworkManager configures a set of nftables rules. + +The 'nft' binary is required to work. + +Signed-off-by: Fernando Fernandez Mancera + +(cherry picked from commit 37317b61fda5181aeb0604381e994e8181a53200) + +Resolves: RHEL-64754 +--- + modules.d/35network-manager/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index 6ed8c04e..4fd3d051 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -37,7 +37,7 @@ install() { + inst NetworkManager + inst_multiple -o /usr/{lib,libexec}/nm-initrd-generator + inst_multiple -o /usr/{lib,libexec}/nm-daemon-helper +- inst_multiple -o teamd dhclient ++ inst_multiple -o teamd dhclient nft + inst_hook cmdline 99 "$moddir/nm-config.sh" + if dracut_module_included "systemd"; then + + diff --git a/0073.patch b/0073.patch new file mode 100644 index 0000000..0246d4d --- /dev/null +++ b/0073.patch @@ -0,0 +1,100 @@ +From e3bba58810038d0e7bc83988355e07eb30c1f5a7 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 20 Jun 2024 13:38:26 +0800 +Subject: [PATCH] fix(dracut-install): copy xattr when use clone ioctl + +When use clone ioctl to copy a file, the extended attributes of files are +missing, which is inconsistent with the result by using the cp command. +This commit add the process to copy extended attributes after clone_file(). + +Signed-off-by: Huaxin Lu + +(cherry picked from commit 1cf0db26e43fe4c6173acdb8047f16666ebf070a) + +Resolves: RHEL-55245 +--- + src/install/dracut-install.c | 56 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/src/install/dracut-install.c b/src/install/dracut-install.c +index 997d62d3..2ad783d3 100644 +--- a/src/install/dracut-install.c ++++ b/src/install/dracut-install.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "hashmap.h" +@@ -267,6 +268,56 @@ static inline int clone_file(int dest_fd, int src_fd) + return ioctl(dest_fd, BTRFS_IOC_CLONE, src_fd); + } + ++static int copy_xattr(int dest_fd, int src_fd) ++{ ++ int ret = 0; ++ ssize_t name_len = 0, value_len = 0; ++ char *name_buf = NULL, *name = NULL, *value = NULL, *value_save = NULL; ++ ++ name_len = flistxattr(src_fd, NULL, 0); ++ if (name_len < 0) ++ return -1; ++ ++ name_buf = calloc(1, name_len + 1); ++ if (name_buf == NULL) ++ return -1; ++ ++ name_len = flistxattr(src_fd, name_buf, name_len); ++ if (name_len < 0) ++ goto out; ++ ++ for (name = name_buf; name != name_buf + name_len; name = strchr(name, '\0') + 1) { ++ value_len = fgetxattr(src_fd, name, NULL, 0); ++ if (value_len < 0) { ++ ret = -1; ++ continue; ++ } ++ ++ value_save = value; ++ value = realloc(value, value_len); ++ if (value == NULL) { ++ value = value_save; ++ ret = -1; ++ goto out; ++ } ++ ++ value_len = fgetxattr(src_fd, name, value, value_len); ++ if (value_len < 0) { ++ ret = -1; ++ continue; ++ } ++ ++ value_len = fsetxattr(dest_fd, name, value, value_len, 0); ++ if (value_len < 0) ++ ret = -1; ++ } ++ ++out: ++ free(name_buf); ++ free(value); ++ return ret; ++} ++ + static bool use_clone = true; + + static int cp(const char *src, const char *dst) +@@ -308,6 +359,11 @@ static int cp(const char *src, const char *dst) + log_info("Failed to chown %s: %m", dst); + } + ++ if (geteuid() == 0 && no_xattr == false) { ++ if (copy_xattr(dest_desc, source_desc) != 0) ++ log_error("Failed to copy xattr %s: %m", dst); ++ } ++ + tv[0].tv_sec = sb.st_atime; + tv[0].tv_usec = 0; + tv[1].tv_sec = sb.st_mtime; + diff --git a/0074.patch b/0074.patch new file mode 100644 index 0000000..708a625 --- /dev/null +++ b/0074.patch @@ -0,0 +1,138 @@ +From 01e51a69c34b58ddb974a1489c2990bb77bf791e Mon Sep 17 00:00:00 2001 +From: Lichen Liu +Date: Wed, 7 Aug 2024 10:13:37 +0800 +Subject: [PATCH] feat(dracut.sh): add --add-confdir option + +When generating kdump's initrd, we want to keep [omit_]dracutmodules +empty and let kdump to handle the modules. And we don't want to +affect the first kernel's initrd, so we cannot place our conf file +to /etc/dracut.conf.d or /usr/lib/dracut/dracut.conf.d. + +This patch adds a new option to allow user to add an extra configuration +directory to use *.conf files from. If the dir not exists, will look for +confdir's subdir. + +After that, kdump can use "--add-confdir kdump" if +/usr/lib/dracut/dracut.conf.d/kdump exists, to apply its own dracut conf. + +See also: +https://github.com/rhkdump/kdump-utils/issues/11 +https://github.com/rhkdump/kdump-utils/pull/31 + +Suggested-by: Dave Young +Signed-off-by: Lichen Liu + +(cherry picked from commit ae81535037c42b716d8cbb9dc18942b5c6f16fed) + +Resolves: RHEL-66582 +--- + dracut.sh | 25 ++++++++++++++++++++++++- + man/dracut.8.asc | 8 ++++++++ + shell-completion/bash/dracut | 4 ++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 778eefd7..7e4b0602 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -156,6 +156,9 @@ Creates initial ramdisk images for preloading modules + Default: /etc/dracut.conf + --confdir [DIR] Specify configuration directory to use *.conf files + from. Default: /etc/dracut.conf.d ++ --add-confdir [DIR] Add an extra configuration directory to use *.conf ++ files from. If the directory is not existed, will ++ look for subdirectory under confdir. + --tmpdir [DIR] Temporary directory to be used instead of default + ${TMPDIR:-/var/tmp}. + -r, --sysroot [DIR] Specify sysroot directory to collect files from. +@@ -400,6 +403,7 @@ rearrange_params() { + --long kmoddir: \ + --long conf: \ + --long confdir: \ ++ --long add-confdir: \ + --long tmpdir: \ + --long sysroot: \ + --long stdlog: \ +@@ -676,6 +680,11 @@ while :; do + PARMS_TO_STORE+=" '$2'" + shift + ;; ++ --add-confdir) ++ add_confdir="$2" ++ PARMS_TO_STORE+=" '$2'" ++ shift ++ ;; + --tmpdir) + tmpdir_l="$2" + PARMS_TO_STORE+=" '$2'" +@@ -931,6 +940,20 @@ elif [[ ! -d $confdir ]]; then + exit 1 + fi + ++if [[ -n $add_confdir ]]; then ++ if [[ -d $add_confdir ]]; then ++ : ++ # Check if it exists under $confdir. ++ elif [[ -d $confdir/$add_confdir ]]; then ++ add_confdir="$confdir/$add_confdir" ++ elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then ++ add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" ++ else ++ printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 ++ exit 1 ++ fi ++fi ++ + # source our config file + if [[ -f $conffile ]]; then + check_conf_file "$conffile" +@@ -939,7 +962,7 @@ if [[ -f $conffile ]]; then + fi + + # source our config dir +-for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do ++for f in $(dropindirs_sort ".conf" "$confdir" "$add_confdir" "$dracutbasedir/dracut.conf.d"); do + check_conf_file "$f" + # shellcheck disable=SC1090 + [[ -e $f ]] && . "$f" +diff --git a/man/dracut.8.asc b/man/dracut.8.asc +index 8339e8a9..15ae36e6 100644 +--- a/man/dracut.8.asc ++++ b/man/dracut.8.asc +@@ -311,6 +311,14 @@ Default: + Default: + _/etc/dracut.conf.d_ + ++**--add-confdir** __:: ++ Add an extra configuration directory to use *.conf files from. If the ++ directory is not existed, will look for subdirectory under confdir. +++ ++Default: ++ _empty_ ++ ++ + **--tmpdir** __:: + Specify temporary directory to use. + + +diff --git a/shell-completion/bash/dracut b/shell-completion/bash/dracut +index 9b51db01..bc14aa9a 100644 +--- a/shell-completion/bash/dracut ++++ b/shell-completion/bash/dracut +@@ -46,14 +46,14 @@ _dracut() { + --kernel-cmdline --sshkey --persistent-policy --install-optional + --loginstall --uefi-stub --kernel-image --squash-compressor + --sysroot --hostonly-mode --hostonly-nics --include --logfile +- --uefi-splash-image --sbat ++ --uefi-splash-image --sbat --add-confdir + ' + ) + + # shellcheck disable=SC2086 + if __contains_word "$prev" ${OPTS[ARG]}; then + case $prev in +- --kmoddir | -k | --fwdir | --confdir | --tmpdir | -r | --sysroot) ++ --kmoddir | -k | --fwdir | --confdir | --add-confdir | --tmpdir | -r | --sysroot) + comps=$(compgen -d -- "$cur") + compopt -o filenames + ;; + diff --git a/0075.patch b/0075.patch new file mode 100644 index 0000000..21ce11c --- /dev/null +++ b/0075.patch @@ -0,0 +1,28 @@ +From cb1c0c94322768dcdc8748b3623c0a4ba1afde71 Mon Sep 17 00:00:00 2001 +From: Jo Zzsi +Date: Wed, 11 Sep 2024 16:57:13 -0400 +Subject: [PATCH] fix: typo in variable name + +(cherry picked from commit 76b2f1a9b52afd4203c1d0e6afb57314bbfe8407) + +Resolves: RHEL-66582 +--- + dracut.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 7e4b0602..f748a073 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -946,8 +946,8 @@ if [[ -n $add_confdir ]]; then + # Check if it exists under $confdir. + elif [[ -d $confdir/$add_confdir ]]; then + add_confdir="$confdir/$add_confdir" +- elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then +- add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" ++ elif [[ -d $dracutbasedir/dracut.conf.d/$add_confdir ]]; then ++ add_confdir="$dracutbasedir/dracut.conf.d/$add_confdir" + else + printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 + exit 1 + diff --git a/0076.patch b/0076.patch new file mode 100644 index 0000000..83d5f80 --- /dev/null +++ b/0076.patch @@ -0,0 +1,118 @@ +From 492bc949e16f78fad9f274744c72bc2fd0161d84 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Fri, 9 Aug 2024 12:49:05 +0200 +Subject: [PATCH] feat(fips): add support for UKIs + +Kernel integrity check in FIPS module is incompatible with UKIs as neither +/boot/vmlinuz-`uname-r` nor /boot/.vmlinuz-`uname-r`.hmac are present. UKI +is placed to $ESP\EFI\Linux\-.efi and if a .hmac file +is present next to it, it is possible to do similar check. + +Note, UKIs have a 'one size fits all' command line and 'boot=' is not expected +to be set. Luckily, if the UKI is systemd-stub based then we can expect +'LoaderDevicePartUUID' variable containing PARTUUID of the ESP to be set. Mount +it to /boot using the existing logic. + +Signed-off-by: Vitaly Kuznetsov + +(cherry picked from commit 72684ff519be4f29c45cbb0f84759e645b0ac4be) + +Resolves: RHEL-56885 +--- + modules.d/01fips/fips.sh | 51 ++++++++++++++++++++++++++++++++++++++++ + modules.d/01fips/module-setup.sh | 2 +- + 2 files changed, 52 insertions(+), 1 deletion(-) + +diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh +index 05631c8a..3889dc0c 100755 +--- a/modules.d/01fips/fips.sh ++++ b/modules.d/01fips/fips.sh +@@ -14,9 +14,22 @@ else + } + fi + ++# Checks if a systemd-based UKI is running and ESP UUID is set ++is_uki() { ++ [ -f /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] \ ++ && [ -f /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] ++} ++ + mount_boot() { + boot=$(getarg boot=) + ++ if is_uki && [ -z "$boot" ]; then ++ # efivar file has 4 bytes header and contain UCS-2 data. Note, 'cat' is required ++ # as sys/firmware/efi/efivars/ files are 'special' and don't allow 'seeking'. ++ # shellcheck disable=SC2002 ++ boot="PARTUUID=$(cat /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f | tail -c +5 | tr -d '\0' | tr 'A-F' 'a-f')" ++ fi ++ + if [ -n "$boot" ]; then + if [ -d /boot ] && ismounted /boot; then + boot_dev= +@@ -81,6 +94,41 @@ do_rhevh_check() { + return 0 + } + ++do_uki_check() { ++ local KVER ++ local uki_checked=0 ++ ++ KVER="$(uname -r)" ++ # UKI are placed in $ESP\EFI\Linux\-.efi ++ if ! [ "$FIPS_MOUNTED_BOOT" = 1 ]; then ++ warn "Failed to mount ESP for doing UKI integrity check" ++ return 1 ++ fi ++ ++ for UKIpath in /boot/EFI/Linux/*-"$KVER".efi; do ++ # UKIs are installed to $ESP/EFI/Linux/-.efi ++ # and in some cases (e.g. when the image is used as a template for creating new ++ # VMs) entry-token-or-machine-id can change. To make sure the running UKI is ++ # always checked, check all UKIs which match the 'uname -r' of the running kernel ++ # and fail the whole check if any of the matching UKIs are corrupted. ++ ++ [ -r "$UKIpath" ] || break ++ ++ local UKI="${UKIpath##*/}" ++ local UKIHMAC=."$UKI".hmac ++ ++ fips_info "checking $UKIHMAC" ++ (cd /boot/EFI/Linux/ && sha512hmac -c "$UKIHMAC") || return 1 ++ uki_checked=1 ++ done ++ ++ if [ "$uki_checked" = 0 ]; then ++ warn "Failed for find UKI for checking" ++ return 1 ++ fi ++ return 0 ++} ++ + nonfatal_modprobe() { + modprobe "$1" 2>&1 > /dev/stdout \ + | while read -r line || [ -n "$line" ]; do +@@ -133,6 +181,9 @@ do_fips() { + elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then + # This is a boot.iso with the .hmac inside the install.img + do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1 ++ elif is_uki; then ++ # This is a UKI ++ do_uki_check || return 1 + else + BOOT_IMAGE="$(getarg BOOT_IMAGE)" + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 91612ff3..a090bc88 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -67,7 +67,7 @@ install() { + inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" + inst_script "$moddir/fips.sh" /sbin/fips.sh + +- inst_multiple sha512hmac rmmod insmod mount uname umount grep sed sort ++ inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort cat tail tr + + inst_simple /etc/system-fips + + diff --git a/0077.patch b/0077.patch new file mode 100644 index 0000000..b003fd9 --- /dev/null +++ b/0077.patch @@ -0,0 +1,52 @@ +From f4cda60fd9725d5aa6dd25ee67909339d6400af8 Mon Sep 17 00:00:00 2001 +From: Adrien Thierry +Date: Mon, 13 Feb 2023 10:43:32 -0500 +Subject: [PATCH] fix(kernel-modules): use modalias info in get_dev_module() + +When calling dracut with '--hostonly-mode=strict', get_dev_module() gets +called on the system's block devices to find the required drivers. The +driver name is retrieved using udevadm. However, the driver name +returned by udevadm is not necessarily the same as the module name. +This is the case for the Qualcomm UFS driver: udevadm returns +'ufshcd-qcom' while the module name is 'ufs-qcom', so dracut-install is +not able to find the module afterwards. + +To solve this, make get_dev_module() also return the module alias info +from the modalias files contained in the sysfs directories parsed by +udevadm. + +Signed-off-by: Adrien Thierry + +(cherry picked from commit 87a76dbb578aff473e690857d1b714eacd92b9ec) + +Resolves: RHEL-55708 +--- + dracut-functions.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dracut-functions.sh b/dracut-functions.sh +index 3c475ca7..f2614308 100755 +--- a/dracut-functions.sh ++++ b/dracut-functions.sh +@@ -971,8 +971,20 @@ block_is_netdevice() { + get_dev_module() { + local dev_attr_walk + local dev_drivers ++ local dev_paths + dev_attr_walk=$(udevadm info -a "$1") + dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') ++ ++ # also return modalias info from sysfs paths parsed by udevadm ++ dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') ++ local dev_path ++ for dev_path in $dev_paths; do ++ local modalias_file="/sys$dev_path/modalias" ++ if [ -e "$modalias_file" ]; then ++ dev_drivers="$(printf "%s\n%s" "$dev_drivers" "$(cat "$modalias_file")")" ++ fi ++ done ++ + # if no kernel modules found and device is in a virtual subsystem, follow symlinks + if [[ -z $dev_drivers && $(udevadm info -q path "$1") == "/devices/virtual"* ]]; then + local dev_vkernel + diff --git a/0078.patch b/0078.patch new file mode 100644 index 0000000..d763e13 --- /dev/null +++ b/0078.patch @@ -0,0 +1,83 @@ +From f194bd6ad64f7baae1a8fded967a198b1127cb64 Mon Sep 17 00:00:00 2001 +From: Tao Liu +Date: Wed, 12 Apr 2023 23:02:25 +0800 +Subject: [PATCH] fix(dracut-functions.sh): convert mmcblk to the real kernel + module name + +In some x86_64 platforms such as Intel Elkhartlake, an issue of missing +necessary modules due to udevadm drivers field unmatch the real kernel module +name is found: + + $ udevadm info -a /dev/block/179:1 + + looking at parent device '/devices/pci0000:00/0000:00:1a.0/mmc_host/mmc0/mmc0:0001': + KERNELS=="mmc0:0001" + SUBSYSTEMS=="mmc" + DRIVERS=="mmcblk" + .... + +The DRIVERS field, aka mmcblk will be given to instmods to install the +corresponding mmc_block.ko kernel module. However mmc_block.ko cannot be +selected by string mmcblk, as a result, mmc_block.ko cannot be installed +in hostonly-mode strict, which will fail to bootup the machine such as in +kdump cases: + + $ /usr/lib/dracut/dracut-install -D /var/tmp --kerneldir /lib/modules/$(uname -r)/ -m mmcblk + dracut-install: Failed to find module 'mmcblk' + +In this patch, we will convert the string mmcblk to mmc_block, so the +kernel module can be successfully loaded. + +Signed-off-by: Tao Liu + +(cherry picked from commit a62e895db9510f0fc4c47ee81b1436096eca4d64) + +Resolves: RHEL-55708 +--- + dracut-functions.sh | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/dracut-functions.sh b/dracut-functions.sh +index f2614308..2e582ebc 100755 +--- a/dracut-functions.sh ++++ b/dracut-functions.sh +@@ -967,13 +967,30 @@ block_is_netdevice() { + block_is_nbd "$1" || block_is_iscsi "$1" || block_is_fcoe "$1" + } + ++# convert the driver name given by udevadm to the corresponding kernel module name ++get_module_name() { ++ local dev_driver ++ while read -r dev_driver; do ++ case "$dev_driver" in ++ mmcblk) ++ echo "mmc_block" ++ ;; ++ *) ++ echo "$dev_driver" ++ ;; ++ esac ++ done ++} ++ + # get the corresponding kernel modules of a /sys/class/*/* or/dev/* device + get_dev_module() { + local dev_attr_walk + local dev_drivers + local dev_paths + dev_attr_walk=$(udevadm info -a "$1") +- dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') ++ dev_drivers=$(echo "$dev_attr_walk" \ ++ | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ ++ | get_module_name) + + # also return modalias info from sysfs paths parsed by udevadm + dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') +@@ -1001,6 +1018,7 @@ get_dev_module() { + [[ -n $dev_drivers && ${dev_drivers: -1} != $'\n' ]] && dev_drivers+=$'\n' + dev_drivers+=$(udevadm info -a "$dev_vpath/$dev_link" \ + | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ ++ | get_module_name \ + | grep -v -e pcieport) + done + fi diff --git a/dracut.spec b/dracut.spec index c238655..aa29476 100644 --- a/dracut.spec +++ b/dracut.spec @@ -5,7 +5,7 @@ # strip the automatically generated dep here and instead co-own the # directory. %global __requires_exclude pkg-config -%define dist_free_release 70.git20240819 +%define dist_free_release 79.git20241127 Name: dracut Version: 057 @@ -98,6 +98,15 @@ Patch66: 0066.patch Patch67: 0067.patch Patch68: 0068.patch Patch69: 0069.patch +Patch70: 0070.patch +Patch71: 0071.patch +Patch72: 0072.patch +Patch73: 0073.patch +Patch74: 0074.patch +Patch75: 0075.patch +Patch76: 0076.patch +Patch77: 0077.patch +Patch78: 0078.patch Source1: https://www.gnu.org/licenses/lgpl-2.1.txt @@ -550,6 +559,16 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog +* Wed Nov 27 2024 Pavel Valena - 057-79.git20241127 +- fix(35network-manager): install nftables kernel modules +- fix(35network-manager): install nft binary during module +- fix(dracut-install): copy xattr when use clone ioctl +- feat(dracut.sh): add --add-confdir option +- fix: typo in variable name +- feat(fips): add support for UKIs +- fix(kernel-modules): use modalias info in get_dev_module() +- fix(dracut-functions.sh): convert mmcblk to the real kernel + * Mon Aug 19 2024 Pavel Valena - 057-70.git20240819 - fix(systemd): set right permissions for the machine-id file - feat(lsinitrd.sh): look for initrd in /usr/lib/modules/